Weekly round-up: Stage 2 final rule
 |
| Beth Walsh, Editor, CMIO |
The Centers of Medicare & Medicaid Services (CMS) recognizes that it’s a big undertaking for all the EHR vendors to get all of their products upgraded and recertified, and then get the updates rolled out to all of their customers, said Elizabeth Shinberg Holland, MPA, director of the Health IT Initiatives Group, Office of E-health Standards and Services at CMS. “We’re trying to be cognizant of that and stagger the dates in 2014. Everybody gets a shorter reporting period.”
Regarding quality objectives, some are much more complex, said consultant Jason Fortin. Almost all of the Stage 1 measures are mandatory in Stage 2, but several were combined which results in a lot of nuances. For example, the coordination of care measure contains four submeasures while in Stage 1 there was a single measure for each objective. How well facilities do with the changes will probably depend on how familiar they were with the proposed rule, he said. “The changes are consistent with what CMS proposed.”
A point of increased emphasis for the final rule is encryption of “data at rest”—the patient-identifiable information stored on servers, hard drivers and portable devices. The increased emphasis most likely is due to the more than 50,000 breaches reported to the Office of Civil Rights since late 2009 when healthcare organizations were first required by the ARRA to notify the government of their breaches.
The Stage 2 final rule specifically addresses this situation. "Recent HHS [Health and Human Services Department] analysis of reported breaches indicates that almost 40 percent of large breaches involve lost or stolen devices," the rule read. “Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element" of the HIPAA security rule as a Meaningful Use measure.
Had the leadership of Cancer Care Group put more consideration into this portion of the final rule, the practice might have prevented a data breach. Just when I thought we might go one week without reporting a data breach, the news came in that personal health information for approximately 55,000 patients at the Indianapolis-based practice was compromised after a bag with a laptop containing the company's computer server back-up media was stolen from an employee's locked vehicle in July.
The stolen laptop contained names, addresses, birth dates and Social Security numbers for patients, as well as medical record numbers and insurance information, according to the Indianapolis Business Journal. It also contained similar information about employees of the group of more than 20 oncologists.
Is your patient information stored on encrypted media?
Beth Walsh
CMIO Editor
bwalsh@trimedmedia.com
Beth Walsh,
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.